<!-- Enter a brief description/summary of your PR here. What does it
fix/what does it change/how was it tested (even manually, if necessary)?
-->
## Summary of the Pull Request
**This is a security issue fix**
In Hosts Editor module, we support to open the hosts file through user's
default editor.
The way to find the editor is that we will read a registry key and use
the value as a parameter to call Process.Start.
In most case, it works well. But Hosts editor module will launch as
admin permission. But the registry value can be modified in user 's
permission (without UAC request).
So, the malware may change the registry value and if user click the open
button. May call the dangerous command which written in registry.
<!-- Please review the items on the PR checklist before submitting-->
## PR Checklist
- [x] Closes: #46195
<!-- - [ ] Closes: #yyy (add separate lines for additional resolved
issues) -->
- [ ] **Communication:** I've discussed this with core contributors
already. If the work hasn't been agreed, this work might be rejected
- [ ] **Tests:** Added/updated and all pass
- [ ] **Localization:** All end-user-facing strings can be localized
- [ ] **Dev docs:** Added/updated
- [ ] **New binaries:** Added on the required places
- [ ] [JSON for
signing](https://github.com/microsoft/PowerToys/blob/main/.pipelines/ESRPSigning_core.json)
for new binaries
- [ ] [WXS for
installer](https://github.com/microsoft/PowerToys/blob/main/installer/PowerToysSetup/Product.wxs)
for new binaries and localization folder
- [ ] [YML for CI
pipeline](https://github.com/microsoft/PowerToys/blob/main/.pipelines/ci/templates/build-powertoys-steps.yml)
for new test projects
- [ ] [YML for signed
pipeline](https://github.com/microsoft/PowerToys/blob/main/.pipelines/release.yml)
- [ ] **Documentation updated:** If checked, please file a pull request
on [our docs
repo](https://github.com/MicrosoftDocs/windows-uwp/tree/docs/hub/powertoys)
and link it here: #xxx
<!-- Provide a more detailed description of the PR, other things fixed,
or any additional comments/features here -->
## Detailed Description of the Pull Request / Additional comments
<!-- Describe how you validated the behavior. Add automated tests
wherever possible, but list manual validation steps taken as well -->
## Validation Steps Performed
---------
Co-authored-by: Yu Leng (from Dev Box) <yuleng@microsoft.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
## Summary of the Pull Request
Adds a new Hosts File Editor setting “No leading spaces” that prevents
prepending spaces to active lines when saving the hosts file (when any
entry is disabled). Default is Off to preserve current behavior.
## PR Checklist
- [x] Closes: #36386
- [ ] Communication: N/A (small, scoped option)
- [x] Tests: Added/updated and all pass
- [x] Localization: New en-US strings added; other locales handled by
loc pipeline
- [ ] Dev docs: N/A
- [x] New binaries: None
- [x] Documentation updated: N/A
## Detailed Description of the Pull Request / Additional comments
- Settings surface:
- `src/settings-ui/Settings.UI.Library/HostsProperties.cs`: add
`NoLeadingSpaces`
- `src/modules/Hosts/HostsUILib/Settings/IUserSettings.cs`: add
`NoLeadingSpaces`
- `src/modules/Hosts/Hosts/Settings/UserSettings.cs`: load/save value
from settings.json
- `src/settings-ui/Settings.UI/ViewModels/HostsViewModel.cs`: expose
`NoLeadingSpaces`
- `src/settings-ui/Settings.UI/SettingsXAML/Views/HostsPage.xaml`: new
SettingsCard toggle
- `src/settings-ui/Settings.UI/Strings/en-us/Resources.resw`: add
`Hosts_NoLeadingSpaces.Header/Description`
- Writer change:
- `src/modules/Hosts/HostsUILib/Helpers/HostsService.cs`: gate indent
with `anyDisabled && !_userSettings.NoLeadingSpaces`
- Tests:
- `src/modules/Hosts/Hosts.Tests/HostsServiceTest.cs`:
`NoLeadingSpaces_Disabled_RemovesIndent`
Backward compatibility: default Off, current formatting unchanged unless
the user enables the option.
## Validation Steps Performed
- Automated: `HostsEditor.UnitTests` including
`NoLeadingSpaces_Disabled_RemovesIndent` passing.
- Manual:
1. Run PowerToys (runner) as Admin.
2. Settings → Hosts File Editor → enable “No leading spaces”.
3. In editor, add active `127.0.0.10 example1` and disabled
`127.0.0.11 example2`; Save.
4. Open `C:\Windows\System32\drivers\etc\hosts` in Notepad.
- ON: active line starts at column 0; disabled is `# 127...`.
- OFF: active line begins with two spaces when a disabled entry
exists.
